Considering taking your business online during the Coronavirus outbreak?

taking your business online

Share This Post

It doesn’t seem to matter how big or small your business, everyone is being impacted one way or another by the Coronavirus outbreak. Whilst a lot of businesses are having to pause work for their employees and are putting them on furloughed salaries while there is no work for them, other businesses are looking at how they can adapt (or pivot, which seems to be a popular word at the moment) either by doing things differently (thinking outside the box on how they continue to deliver their services) or doing something completely different (e.g. changing production to products that the NHS and the care sector are in desperate need for).

One of the areas some businesses are realising is that they need to up their online game or indeed take their business online, something they possibly didn’t need to consider in the past. This means that some web developers have seen an increase in enquiries about building e-commerce sites or add-ons to existing sites to offer products to an online market. This is great, and if you have time on your hands to think along these lines, then this is great not just for your business but also the wider economy.

So, if you’re taking your business online for the first time what are the GDPR compliance issues you should be thinking about? Here’s our quick checklist of all the things you should be thinking about (and these apply whether during the Coronavirus crisis or at any time you decide to take your business online):

  1. Carry out a Data Protection Impact Assessment (DPIA) risk assessment. This will enable you to think about the data protection risks you should consider and mitigate, which are likely to include considering risks to personal data that you’ve not processed like this before, security implications, etc.
  2. Is your website up to scratch? You will need to think about what needs to be in place with your website to ensure security of data and that’s not just about adding a plugin or using a web developer to add an online store. Think about whether you’ve got an SSL certificate set up on your domain (that’s the thing that gives you a secure https:// connection for your website); whether your website software is up to date – remember you may become more of a target for hackers if they think your site may have personal data in the backend, so keep your website software updated, put software protections (e.g. website firewalls, etc.) in place if appropriate
  3. Decide how you’re going to manage admin access to the backend of your website. For example, if you are using a third-party to build the site and manage it for you, will they have admin access to the backend which in turn might mean access to customer data (if stored in the website database) and if so, make sure they are GDPR compliant and get a data processing contract in place with them. Furthermore, make sure that any admin users are audited regularly so that old admin users don’t still have unnecessary access
  4. Understand where the data you’re collecting from online sales is going to be stored – if it’s not within the EU then you will need to make sure the GDPR’s restricted transfer rules are followed for any providers or processors
  5. Update your privacy policy (and cookie policy if separate) to cover off any changes, e.g. add a “if you buy from us online” section which sets out what happens with a customer’s data when they buy something online, how that data will be shared with payment gateways, etc.
  6. Consider your marketing wording and make sure it fits with the privacy rules around consent – remember PECR allows you to market to existing customers, but you should tell them that’s what you’re doing and give them an option to opt-out at the point of sale
  7. Put in place an internal website process/policy document which sets out how the website will be managed going forward, any controls for your team to ensure they maintain the site, compliance, monitor admin access, etc. Don’t assume your web developer is going to do everything for you (for example, who’s going to keep the website software up to date and monitor security fixes?)
  8. Update your data process register/audit file to include the new data you will be collecting, the lawful basis, etc.

💡 If you need some help with getting to grips with your DPIA or any of the above, we provide resources you can use to do this yourself, or we can help you too – either by providing you support along the way (for example our Helpline service includes reviews of DPIA), or we can just do all of it for you. Anyway, take a look at our helpline services or get in touch if you’d like some advice or want to discuss further

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy